ActivTrak Alarms Guide
ActivTrak's Alarms alerts you in real-time to activities that may post security risks or impact the accuracy of your data, so you can take immediate action. There are three alarm types in ActivTrak:
- User Activity Alarms show you when an employee account is engaging in suspicious or concerning activity
- USB Alarms alert you when there’s excessive USB and/or file-sharing activity
- Security Audit Alarms are triggered by changes made to your ActivTrak Account
Use out-of-the-box alarms for common scenarios or create your own custom alerts based on any combination of conditions. Alarms are available in all paid plans.
Learn more about:
- Privacy, security and access to alarms
- Out-of-the-box alarms
- Creating new alarms
- Setting up group-based alarms
- Responding to alarms
- Scoring alarms
- Using webhooks with alarms
- The External Notification Log
- The Alarm Log
- Alarms FAQ
Privacy, security and access to alarms
ActivTrak is committed to safeguarding customer and user data. We know how important it is to meet compliance standards, industry regulations and applicable laws. That’s why our privacy-first approach is designed to empower organizations with the transformative power of workforce analytics — without compromising data privacy and trust with employees. Our Alarms are a key part of this.
Role-Based Access
You can create custom, role-based access to each Alarm on any paid plan type. For example, an Admin can provide a manager with read-only access to the Alarm Log but block the manager from accessing the Alarm Configuration page.
The user role types that can access Alarms are Admins, Configurators, and Power Users. Viewers are unable to access any Alarm pages.
To update access permissions for Alarms, navigate to Settings > Access > Role Access.
Click the down arrow in the Alarms row to expand all sub-page access options. Then, select or deselect access to each page by role type, as shown in the screenshots below.
Updating Alarms access permissions (for accounts without Screen Details)
Updating Alarms access permissions (for accounts with Screen Details)
To learn more about customizing user roles in ActivTrak, click here.
Out-of-the-box alarms
Your paid account is equipped with a set of pre-configured alarms you can leverage immediately out-of-the-box for common scenarios such as Potential false activity(PFA), Social media break and pornographic website access. You can find them in the Alarms Configuration page in the app (Alarms > Configuration).
Out-of-the-box alarms in the Alarm Configuration page
User Activity Alarms
In today's remote and hybrid work environments, many employees now use tools like mouse jigglers to simulate activity. These tools can make it look like people are working when they’re not, and distort productivity metrics. They’re also used by hackers to mask malicious activity and cyberattacks. To help, ActivTrak provides three alarms that allow you to detect, investigate and automatically respond to this potential false activity:
- Input Simulation Software Detected: This alarm alerts you when an employee may be using a mouse jiggler or other software that simulates activity.
- High Duration Activity Detected: This alarm lets you know when a user spends longer than 45 minutes on a single screen, which is extremely rare and may indicate the use of activity-mimicking tools or mindless clicking.
- Repetitive Activity Detected: This alarm alerts you when repeat patterns that do not look like natural human behavior are detected, such as keys being held down, a faulty mouse or keyboard, low batteries in the mouse or keyboard, and some physical mouse jigglers. While this activity is less likely to be nefarious, it usually requires further investigation to determine the cause of the repetitive activity.
Unlike other solutions, which stop at detection, ActivTrak also gives you tools to investigate and respond. For example, you can:
- Dive into detailed logs to identify when and how mouse jigglers were used
- Have ActivTrak take screen captures for more context on how and why they’re used
- Automatically switch a user to a passive state when false activity is detected
- Use custom controls to keep false activity from being captured as productive in your ActivTrak reports
To enable these alarms, which are turned off by default, visit the Alarms Configuration page (Alarms > Configuration) and toggle them on. Learn more about detecting mouse jigglers and other activity-mimicking tools here.
In addition to the Potential False Activity alarms, ActivTrak offers additional alerts you can use out of the box. All alarms are turned off by default — simply toggle them on to start receiving alerts.
Other user activity alarms
- Adult Content Accessed: Toggle it on to be alerted when a user accesses an adult content site, such as Pornhub.
- AI Usage: Toggle it on to be alerted when a user accesses an AI tool, such as Chat GPT.
- PII Accessed: Toggle it on to be alerted when a user accesses sensitive, personally identifiable information (PII) such as social security numbers.
- Potential Job Search: Toggle it on to be alerted when a user accesses a job search site, such as indeed.com.
- File Sharing: Toggle it on to be alerted when a user accesses a file-sharing site, such as Dropbox.
- Social Media Break: Toggle it on to be alerted when a user accesses a social media site, such as Facebook. (Note: This alarm is only available to customers with accounts created before May 29, 2024. Learn how to recreate this alarm by setting up a custom alarm here.)
- New Activity Screenshot: Toggle it on to trigger a screenshot when a user has been active in a new activity for 20 seconds. Note: This alarm is only available to customers with accounts created before May 29, 2024 and the Screen Details add-on enabled. Learn how to recreate this alarm by setting up a custom alarm here.
- Blocked Website Accessed: Turned on by default. Users who visit websites in the blocked website list will automatically be redirected to websiteisblocked.com. This alarm is triggered when a user visits websiteisblocked.com and the title bar contains 'website is not available' to keep a record of who is trying to access blocked websites. (Note: This alarm is only available out-of-the-box to customers with accounts created before May 29, 2024. Learn how to recreate this alarm by setting up a custom alarm here.)
USB Alarms
Data Saved to USB: Toggle it on to be alerted when a user transfers data to a USB device.
(Note: The ActivTrak Agent does not have access to anything written on a USB device. In the event the alarm is triggered, we suggest taking a look at the user's Activity Log to get a better idea of their activities around the time the alarm was triggered.)
Security Audit Alarms
All security audit alarms are turned on by default. They include:
- ActivTrak User Deleted: This alarm is triggered when a user or computer is deleted from the account.
- Alarm Deleted: This alarm is triggered when an Admin deletes an alarm in the account.
- Agent Likely Uninstalled: This alarm is triggered when a user attempts to uninstall their ActivTrak Agent from their device.
Updating out-of-the-box alarms
To review and update the settings for preconfigured alarms, click the blue "Edit" button to the right of the alarm.
1. Under "SELECTED GROUPS," the default is set to 'All Users and Computers', but you can specify which groups you would like the alarm to apply to.
Note: If your alarm will use the pop-up or terminate actions, you must select 'All Users and Computers' since these actions are not compatible with a group-based condition.
2. Under "CONDITIONS," you can see the preconfigured conditions that trigger the alarm. Each of these conditions can be edited or deleted. You can also add your own conditions by clicking "+Add Condition" at the end of the existing condition list.
Note: "MATCH ANY" is the default and recommended setting unless you require all conditions to be met for the alarm to trigger. In that case, make sure you select "MATCH ALL" above the conditions list.
3. Select the actions you want to be performed when conditions are met in the "Actions" section.
- To receive email notifications, add the recipient's email address(es), add a subject line, and your desired email body content in the respective sections.
- To receive alerts via Slack, MS Teams, or another method via webhooks, toggle on "SEND EXTERNAL NOTIFICATIONS WHEN ALARM IS TRIGGERED", then select the destination from the drop-down menu. To learn more about using alarms with webhooks, click here.
4. When finished, click the green "Save" button to apply changes.
Creating new alarms
1. To start, click on "Create New Alarm" at the top left and then fill out the prompts in the box asking to name the new alarm as well as choose the type of alarm.
There are three types of Alarms:
Activity | These alarms will be triggered by user behaviors. |
USB | These alarms will be triggered when a USB storage device is inserted or written to. |
Security Audit | These alarms will be triggered when changes are made to the account. |
This guide focuses on Activity Alarms.
2. After naming the alarm and selecting "Activity" the screen will change and a prompt to enter in conditions will appear.
3. Next, conditions will need to be added. Alarms function as an IF: THEN statement. If X happens, do Y. Conditions function as the IF part of this equation.
Depending on the goal of the alarm and which triggers will be used, we'll need to tell the alarm to trigger either when ANY of the conditions are met or only if ALL conditions are met.
There are three parts to a Condition:
Field: This section is where the alarm will look to match the conditions given.
Computer | Meta Description of the website or application. |
Description | Meta Description of the website or application. |
Duration (Sec) |
How long the user is on that activity. |
Executable | The name of the application or process. |
Private IP Address | The network to which the computer is connected. |
Logon Domain | For large installations and Active Directory-connected computers, the primary domain is where the user logs in. For local users, this is usually the computer name. |
Primary Domain | For large installations and Active Directory-connected computers, the primary domain is where the computer is connected. |
Title bar | Located at the top of a window, displays the name of the website or application being used. |
URL | The website address, for example, www.google.com. |
User | The name of the user inside ActivTrak. |
Operators: This section tells the agent how to look for the keyword in the selected field.
Contains | The keyword is present somewhere in the field. |
Does Not Contain | The keyword is NOT present somewhere in the field. |
Ends with | The keyword is the last part of the string in the field. |
Equal to | The keyword is exactly what is entered in the field. For example "Google.com" will exclude "www.Google.com". |
Not Equal to | The keyword does not appear in the way it was entered in the field. |
Starts with | The keyword appears at the beginning of the string. |
Greater than | For fields with numerical values. For example, if Duration (seconds) is greater than "10", would tell the Alarm to trigger if a user was active for 11 seconds or longer. |
Value | The keyword or number that the Alarm is looking for in order to trigger. This can be the website name, username, keyword in a title bar or description, or the time in seconds the user is active on a particular window. |
4. Finally, the Alarm can be toggled to look for the Value to be case sensitive or not.
5. There is also the option to trigger only for specific users, or to tell the Alarm to trigger for everyone except a specific user (for example, someone in Human Resources)
Note: When using conditions that require a change from "Match Any" to "Match All" the following warning will appear:
6. Now that the Conditions are set, it's time to tell the agent what actions to take when the Alarm is triggered.
There are six main actions that can be set:
Screen Captures | Screen Captures tell the Agent to take a screenshot when the alarm is triggered. Accounts with the Screen Details add-on can take multiple screenshots at a user-defined interval, with the minimum being 10 seconds. |
Pop-up Messages | Pop-Up Messages are on-screen notifications administrators can have displayed on the end user's screen if the Alarm is triggered. The message can be custom-tailored to whatever the administrator would like and has the option for pre-filled text. |
Email Notifications | Email Notifications allow the administrator to be alerted whenever the Alarm triggers. The "To" field can be populated by anyone who is listed inside Account > Access. Just like with Pop Up Messages, the Subject and Email Body field can be prefilled with the fields offered or the administrator can create a custom message. |
Webhook Notifications | Webhooks allow administrators to integrate ActivTrak alarms into other applications such as Slack or Zapier. Simply plug in the URL generated by the destination application and any additional parameters if needed. |
Terminate | Activating the Terminate action on an Alarm tells the agent to close the application that triggered that alarm. Using the Facebook example from above, if a user were to open Facebook with this Alarm active, the browser would be closed immediately, including non-Facebook tabs the user may have been using. |
Alarm Risk Level | This allows administrators to assign a point value to certain alarms, making it easier to detect and quickly analyze certain behaviors. |
7. Be sure to click the green Save button either at the top or bottom of the page!
Alarms Based on System Events such as LOGON
Admins may want to set alarms based off of a system event. This requires both Titlebar and Executable conditions. Common scenarios may be to send a pop-up to remind users upon login that they are being tracked, or to email an Admin when a former employee accesses a device that hasn't been returned yet.
1. Go to Alarms > Configuration and then either add a new Activity alarm or edit an existing one.
2. For a pop-up, 'All Users and Computers' must be selected and the account must have the Screen Details Add-on. If a pop-up is not required and an email notification is needed instead for example, specific groups can be selected.
3. Conditions must be set to MATCH ALL. Note: this also means that triggers based on LOGON and LOGOFF will require separate alarms.
4. Add both the Titlebar and Executable conditions as seen below. In our specific example, the Titlebar is equal to "LOGON" and the Executable is equal to "SYSTEM EVENT". Note: to trigger for only ONE user, you can add a third condition with Username | Equal To. Since MATCH ALL is on, multiple users cannot be listed as conditions. To trigger for multiple but not all users, set selected group(s) in step 2.
5. If applicable, toggle the pop-up on and type in the message that should be displayed at login. Or, toggle any other desired action(s) such as email notification for when the alarm is triggered.
6. Click the green Save button either at the top or bottom of the page, and then make sure the alarm is activated. Enabled alarms will all be toggled blue on the main Alarm Configuration page.
Setting up group-based alarms
Setting up a group-based alarm provides admins the opportunity to create alarms that apply only to specific groups. For example, if the marketing team needs access to Facebook, but the engineering team should never be on Facebook, an admin may want to create an alarm for anytime an engineering team member accesses Facebook.
How To:
1. In order to set up a new Group-Based alarm, navigate to Alarms > Configuration and select Create New Alarm.
2. Name the alarm and choose the Activity Alarm option
3. Once on the alarm configuration page select which group(s) you want to make the alarm effective for and finish the settings.
4. This will assist you in determining which users you want to be alerted for without cluttering up the conditions section and making alarms easier to read and set.
Note: If your alarm will use the pop-up or terminate actions, you must select 'All Users and Computers' since these actions are not compatible with a group-based condition.
Responding to alarms
In addition to configuring an alarm to trigger based on certain criteria, you can also take action and respond to alarms.
Enabling the pop-up feature in alarms provides a notification to the employee, so they can immediately self-correct and become aware that their activity may not be allowed.
Creating a pop-up alarm:
As an example, you may not want employees to access YouTube during work hours, but a Terminate alarm may not be ideal because it will close the browser including any tabs that are work-related.
This can be accomplished using the following conditions:
- Match Any
- Field: Titlebar
- Operator: Contains
- Value: youtube
- Case Sensitive: no
Using these conditions agent to trigger the alarm when it sees "youtube" inside the title bar. Depending on your goal, you may need to tweak this to be more specific, like if you wanted to allow certain videos on YouTube, but not others.
Once the Pop-Up message action has been enabled, you will be prompted to enter in a message that will be seen by your end-user when the alarm is triggered.
There is an option to pre-fill some of this information by clicking on the tags above the text box. These will be contextual, changing based on who, or what triggers the alarm.
Using the example above, this is what an end-user would see based on these conditions:
NOTE: If you are using a discreet deployment and your employees do not know they are being monitored, it is not advisable to use Pop Up messages in your alarms.
Terminating Applications with alarms
While ActivTrak’s Blocking feature can prevent users from accessing specific websites, Terminate Alarms will stop the usage of specific applications or close the browser if certain keywords or conditions are met. This can limit activities that are unproductive, inappropriate or likely to compromise company data.
Terminate alarms will work similarly to other custom alarms in that you will first need to select the conditions that will cause the Alarm to trigger. Once the desired conditions are created, simply turn on the terminate action and the Alarm will close any application that meets those conditions.
NOTE: If you are using a discreet/silent deployment method, terminating may not be the ideal action. There is no mention of ActivTrak or indication as to why the application was closed, but users will notice and may question whether something has been installed on their computer.
In the example below, the goal is to stop employees when they try to access Dropbox.com, where they could potentially upload and share sensitive company documents.
Example with detailed steps:
- Navigate to Alarms > Configuration using the left menu.
- Click the green "+ Create New Alarm" button in the top left corner.
- Name the alarm and choose what type of alarm it will be. For this example, we named it "Dropbox Alarm" and selected "Activity".
- The terminate toggle can only be used when "All Users and Computers" has been selected under the top "Group Alarm" section. To terminate only for a specific user/computer, add a condition (example included below).
- Fill out the condition(s) for which you want the application to be terminated. For example,
- Field = Url
- Operator = Contains
- Value = Dropbox
6. Scroll down to the “Terminate” toggle and turn it on. (Terminate alarms also pair nicely with Email Notifications and/or External Notifications, so toggle any other desired actions during this step.)
7. Don't forget to check that the "Activate Activity Alarm" toggle in the upper right is green, and then click the green "Save" button next to it.
This example alarm will now shut the browser any time any of your monitored users access a url that contains "dropbox". Note: If the application triggering the alarm is a browser, the ENTIRE browser will close, not just the tab or window that met the condition(s).
Other examples:
Terminate both the web and desktop app versions of Zoom when accessed:
- MATCH ANY
- Condition 1: Field = Url | Operator = Contains | Value = zoom
- Condition 2: Field = Executable | Operator = Equal To | Value = zoom.exe
Terminate the browser after a specific user has spent 5 minutes on Facebook:
- MATCH ALL
- Condition 1: Field = Url | Operator = Contains | Value = facebook
- Condition 2: Field = Duration (seconds) | Operator = Greater Than | Value = 300
- Condition 3: Field = User | Operator = Equal To | Value = username
Scoring alarms
The Risk Level Report lets you assign weighted scores to alarms, and then use these scores to identify potentially concerning activities. Each user is assigned a risk level score based on the alarm triggers you set. You can then use these scores to see when someone is engaging in unauthorized or suspicious behavior.
To learn more about the Risk Level Report and how to set it up, click here.
Using webhooks with alarms
Webhooks are a way for an app to send automated information to other apps. For example, you could create an Alarm that, when triggered, would send information about the app to Slack and post a message.
To create an alert like this, first, navigate to Alarms and create a new alarm. For more information on creating alarms click here.
Next, enable Webhooks:
Then, enter a URL to tell the agent where to send the information. This is usually provided by the app you are trying to insert the information into. (Note: If you are using Slack or MS Teams, detailed guides can be found in the "Learn More" section below.)
Once we have that URL, ActivTrak will by default send a webhook with the following information (depending on your alarm):
Date and Time | The exact date and time the user first accessed a specific activity. |
Computer | The name of the computer pulled directly from the machine itself. |
Alias | The user alias assigned through the ActivTrak dashboard. |
Primary Domain | The main domain name of the server. |
Logon Domain | If the user is Active Directory domain attached, the domain name. If the users are not attached to a domain, the computer name will be shown. Google Chrome agents will not show anything. |
User | Friendly user name; typically First and Last. Pulled from the operating system. |
Titlebar | What is read in the title bar of the user's activity. |
Executable | The executable of the user's activity. |
Description | A short description of the user's activity. |
Website | The name of the website the user accessed. |
URL | The exact URL the user accessed for an activity. |
Session | The session ID is used by Windows to tell the difference between user sessions. You mainly only see it on Terminal Servers where there are multiple users on one computer, and Session ID 0 is almost always reserved for the System. |
Duration | The amount of time a user spent active in an activity. |
IP | The internet protocol address within the local network. |
NOTE: You can also add more information by adding to the "Parameters" field.
See also:
The External Notification Log
When you send an External Notification with the Alarms Feature, the status of this gets logged in the External Notifications Log.
The status of a webhook can do one of two things.
1) Go from Pending to Delivered, indicating successful payload delivery
or
2) Go from Pending to Failed, indicated non-successful Payload Deliver.
The Webhook log will state what alarm triggered the webhook, at what time, and how many attempts were taken to deliver the webhook to the destination you set.
If the webhook fails to be delivered, you will see the Eye icon next to failed go from Grey to Blue.
Clicking this will display the reason for the webhook failing. in our example below, the reason the webhook failed was due to missing information in the Payload.
On the far right of the grid, a copy of the payload that was sent is displayed and you can click on the Eye icon to view the entire payload in JSON format.
The Alarm Log
The Alarm Log is a report available to Admins, Configurators, and Power Users (Read-only) that documents every triggered alarm instance. To access the Alarm Log, Navigate to Alarms > Alarm Log.
The Alarm Log will look very similar to the Activity Log. It will display data like whether or not the action was considered Productive or Unproductive, the name of the Alarm, when it was triggered, which machine was used and by which user, along with the duration of the activity, and other fields.
Each instance of the alarm being triggered has its own entry. By clicking on the screenshot icon next to an instance the screenshot that was captured will be shown.
The Alarm Log interface will also provide information about the type of alarm it is:
Indicates if a screenshot was taken, and if it was, can be clicked to view the screenshot. | |
Indicates if a pop-up message was displayed (if configured to do so). | |
Indicates whether or not an email alert was configured and sent. | |
Indicates whether or not a webhook was utilized. | |
Indicates whether a terminate command was employed. | |
Shows the Risk Level of the alarm. This article covers Risk Levels in greater detail. |
Just like with the Activity Log, we can sort this view by user, group, computer, and date as well as change the columns displayed by using the corresponding boxes in the top left.
It is also possible to export either as a CSV file or to an attached Google Drive account.
Alarms FAQ
Learn more:
Was this article helpful?
2 out of 5 found this helpful
Comments
No comments